Malware Analysis Report

2025-03-15 08:17

Sample ID 241016-eflygsvhkl
Target 529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN
SHA256 529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3c
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3c

Threat Level: Likely malicious

The file 529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (5117) files with added filename extension

Renames multiple (3718) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 03:53

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 03:53

Reported

2024-10-16 03:55

Platform

win7-20240903-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe"

Signatures

Renames multiple (3718) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Jerusalem.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Windows Media Player\de-DE\wmpnssci.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\cpu.html.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_floating.png.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Vladivostok.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Campo_Grande.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Java\jre7\lib\ext\sunec.jar.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Atlantic\Cape_Verde.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Microsoft Games\Minesweeper\fr-FR\Minesweeper.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\misc\libaddonsvorepository_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Windows Media Player\en-US\WMPDMCCore.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\CompleteSave.cfg.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Buenos_Aires.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-execution.xml.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\settings.css.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ho_Chi_Minh.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms_3.6.100.v20140422-1825.jar.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\picturePuzzle.html.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\manifest.json.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Chihuahua.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\platform.xml.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.di.extensions_0.12.0.v20140417-2033.jar.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-options-api.jar.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Kabul.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\management-agent.jar.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\plugin.jar.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.zh_CN_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Windows Media Player\es-ES\wmpnssci.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\add_down.png.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\preloaded_data.pb.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\resources.jar.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Windows Media Player\WMPDMC.exe.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\7-Zip\Lang\ast.txt.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\jfluid-server.jar.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\PresentationBuildTasks.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_sun.png.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\DVD Maker\Shared\Common.fxh.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576_91n92.png.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-gibbous.png.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdate.cer.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.core_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\control\libwin_hotkeys_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.properties.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-uisupport_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Bahia.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Tunis.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xml.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Santarem.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Management.Instrumentation.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe

"C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe"

Network

N/A

Files

memory/2756-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini.tmp

MD5 0d64b3b357f9bb65a2ce512d79a32c65
SHA1 cd0204bbd1a3dd0057b4e441b860cbdfcd75589f
SHA256 cae0464be41829ea710b0d12455702c6778371ee864354b90ac22156f749e98d
SHA512 d9f1dc8ab4cfdafd52c73c233e0a6d333f268394ef07f710d09247cf40d6a9848a05bc3ee426ef487df59d3ed10c90a01ba9522311008b7612f02f6b1168721b

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 e153860f9dffef1c5441940c41d7752f
SHA1 38399368d76507081f68d9aa0679e698dfb6b360
SHA256 a82f8fb32a94fe611ad687f752cbf53081692b02161ce0b37ac603619310dbcc
SHA512 918dbfe3f75e3fd4249ee0be3a28ae1b85a88ecf767e282f88de91e4189c8f21a5eb3d9bff4521ba9884f4a60582e1ae2b90550ed9d6ad9093f1361c789bd99b

memory/2756-74-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 03:53

Reported

2024-10-16 03:55

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe"

Signatures

Renames multiple (5117) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre-1.8\release.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemDrawing.dll.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.DataSetExtensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_K_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_200_percent.pak.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\sunmscapi.dll.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.dll.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\resources.pak.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\DRUMROLL.WAV.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.WindowsDesktop.App.deps.json.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-filesystem-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-filesystem-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sw.pak.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\joni.md.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\EntityPickerIntl.dll.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Numerics.dll.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusDemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\7-Zip\Uninstall.exe.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.dll.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3102-0000-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Internet Explorer\de-DE\ieinstal.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\psfontj2d.properties.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.ConnectionUI.Dialog.dll.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\misc.exe.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.VisualStudio.Tools.Applications.Runtime.dll.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\COIN.WAV.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\7-Zip\Lang\uz-cyrl.txt.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Watcher.dll.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordaccore_amd64_amd64_8.0.224.6711.dll.tmp C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe

"C:\Users\Admin\AppData\Local\Temp\529eeb6ca1e0108042d929d1fd8c918a7d47cd4ec0859714f28c83735a5a2f3cN.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/672-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-493223053-2004649691-1575712786-1000\desktop.ini.tmp

MD5 231d383ff940fcf5248010f903b99ec7
SHA1 f05a5825494c15336b8ea599892aa19df959602c
SHA256 b8f7cd125bfa86ad46afcdecbfb93f0dff447362e1530a980dd1224ce622fb20
SHA512 7f45c67cd35db9db55869f9ba0002507a9e2477a45cc5af4dc5e2a343d11b5fdaa5a81dc66b9544c8ea26419a9d6c92dee614076a419b30f73a19b2635497bb8

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 068139c49e9e644dbcb00dabffaadcfc
SHA1 a5fa238da8bf4725ae76db9d0d147d86a8fbb4a4
SHA256 b9e7daeffaf058b816f4ad48e1cda55bc757cdd45071e489efbfdee9adbf2722
SHA512 0e778e17256e4855d47b418b335c81a39ae30b285e402ac7f7e3a6a1b76178c4aab02a0dbb9c40bda8aad8022c5069d7f53845cee3f000475bdc26b8dbd994ab

memory/672-784-0x0000000000400000-0x000000000040B000-memory.dmp